The BSides Boston 2017 Breaking Into InfoSec Panel Questions

Apr 16, 2017

At the BSides Boston 2017 Security Conference held at Harvard University’s Science Center, there was an afternoon panel “Breaking Into infosec.” The invited panelists: Tracy Z. Maleeff, Justin Pagano, and myself. The moderator was Keith Hoodlet. The abstract of the panel as written on the schedule:

Are you interested in Information Security, but you don’t know where to start? Are you a professional in another field, wanting to switch into Information Security? Or maybe you’re a Security Professional looking to make a move, andwant to know what hiring managers are looking for. In this panel we will cover various topics for sheperding your career in Information Security from three different perspectives. The panelists - including an educator, a recent convert, and a hiring manager - will field a series of questions on topics including:

What skills are employers looking for?

What resources are students currently leveraging?

How can you get involved in Security (even if it’s outside your current role)?… and any other questions you might have!

We had a fantastic time on the panel. Sadly, the panel was only an hour long and we did not answer all the planned questions or answer any questions from the audience. The panel could have continued for a very long time. Before the conference, panelists were given a list of ten questions to prepare for: Keith wrote the questions (thanks again Keith). Only six of the questions were asked in the panel due to limited time. Here were the ten questions that were planned and my response to each question:

Question 1:

(To Tracy) What have you found to be the biggest challenge for entering into the industry?

(To Justin) What have you found to be the biggest challenge in hiring for the industry?

(To Me) What have you found to be the biggest challenge in preparing students for the industry?

Working on open-ended problems. I am appalled by how students are generally uncomfortable with working on unstructured and open-ended problems. The problem becomes glaring during students’ first internships as I constantly see comments in Curricular Practical Training (CPT) reports such as “I wish my supervisors had described the overall structure in a little more detail” or “I was simply freaking out with the fact that I did not have an assignment with a roadmap.” That’s normal and reality. Generally speaking in the real world, you will not be given detailed specifications as in most academic classes.

Get students to talk through vague and open-ended problems.

Getting them to get experience early and often. There is no substitute for real work experience.

No hand-holding (I do not do that).

Question 2:

(To Tracy) What skills have you focused on developing for building your career?

(To Justin) What skills are you looking to hire for?

(To Me) What skill are students focusing on learning today?

Taking responsibility for one’s own learning; college is not an end.

I did not take a course in web development, mobile development, or security when I was an undergrad (1998-2002).

Reading

Writing

Question 3:

(To Tracy) What resources have you found useful in preparing for job interviews?

(To Justin) What resources does your team leverage on a regular basis?

(To Me) What resources are students leveraging to develop their skills?

What: Because Cyber Security is a very broad field that encompasses many disciplines and changes rapidly, we expect every student in the class to participate in ways not explicitly defined by the curriculum and syllabus.

Why: We want our students to be strong in: (1) taking responsibility for one’s own learning, (2) actively engaging with a larger community outside the classroom (e.g., a professional group), (3) be active citizens, and (4) work on an open-ended project. Cyber Security presents many opportunities outside the classroom

We can’t teach everything about Cyber Security in this class nor can we show all the opportunities that are out there.

We want to give students’ the flexibility and freedom to pursue to explore what is out there with regards to Cyber Security.

We want to grow students’ intellectual curiosity and make you take responsibility of your own learning.

We want to see students engaged with the community in some capacity outside of the classroom –that’s where the real learning is.

Question 5:

(To Tracy) Have you pursued certifications as a mechanism for growing your career? Why or why not?

(To Justin) When reviewing resumes, do you find that you’re more likely to interview someone with a certification? Why or why not?

(To Me) Do you encourage your students to pursue additional certifications? Why or Why Not?

Ask yourself: do you need it? (thanks to Peter Sullivan back in 2007). Some jobs (e.g., working at the Department of Defense) require certifications.

I advocate for the SANS Institute because I am an alumnus and I am very grateful for what I got out of the SANS SEC504 course (GCIH certified from 2007-2011). I give each student in my Security class a SANS poster before the CTF game.

Question 6: What transferable non-infosec skills have you find to be assets within the security industry?

I worked at Harvard for ten years at the Department of Environmental Health & Safety (EH&S). Looking back, I am now more grateful for working there. The reasons:

I was the only tech person in the Department. Thus, I had to communicate to mostly non-technical personnel.

I learned the business context of Environmental Health & Safety (EH&S). I applied my technical knowledge to build tools to support the Department, most of those tools are now still in production.

I was exposed to the importance of industrial hygiene, occupational safety, and public health. As Chris Wysopal once said to me, something along the lines of: “you can’t graduate from a Civil and Environmental Engineering program without learning about health and safety but you can graduate from a Computer Science program without learning learning about security, hygiene, and safety.” Alas, we are still facing the same issues we have for the last decades.

Question 7: What standards or practices do you see other fields using that you think infosec could benefit from adopting? (not asked in the panel)